b"September 2006\nReport No. 06-019\n\n\nResponses to Security-Related\nQuestions in OMB\xe2\x80\x99s Fiscal Year 2006\nReporting Instructions for FISMA and\nAgency Privacy Management\n\x0c                                   Responses to Security-Related Questions in OMB\xe2\x80\x99s\n                                   Fiscal Year 2006 Reporting Instructions for FISMA\n                                   and Agency Privacy Management\n\nBackground and                     Results of Audit\nPurpose of Audit\n                                   As KPMG\xe2\x80\x99s responses to the OMB questions indicate, the FDIC has\nTo achieve its mission, the\nFDIC relies heavily on             implemented plans of action and milestones, an incident response\nautomated information systems      capability, and security awareness and training that substantially address\nto collect, process, and store     the criteria used by the OMB for assessing the status of those aspects of\nvast amounts of banking            agency security programs. However, continued management attention is\ninformation. Ensuring the          needed in some security control areas\xe2\x80\x94such as information systems\nintegrity, availability, and\nappropriate confidentiality of     inventory, oversight of contractor systems, certification and accreditation,\nthis information requires a        and security configuration management\xe2\x80\x94to ensure compliance with\nstrong, enterprise-wide            FISMA and consistency with National Institute of Standards and\ninformation security program.      Technology standards and guidelines. KPMG\xe2\x80\x99s work did not identify any\n                                   significant deficiencies in the FDIC\xe2\x80\x99s information security program\nThe Federal Information\nSecurity Management Act of         warranting consideration as a potential material weakness as defined by the\n2002 (FISMA) directs federal       OMB.\nagencies to have an annual\nindependent evaluation             The OMB questions focus on certain key components of the FDIC\xe2\x80\x99s\nperformed of their information     information security program. We plan to issue a report entitled,\nsecurity program and practices\nand to report the results of the   Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program-2006\nevaluation to the Office of        (FDIC-OIG Report No. 06-022), that provides an overall assessment of the\nManagement and Budget              FDIC\xe2\x80\x99s information security program, including detailed results of work\n(OMB), the Comptroller             performed in the areas covered by the OMB questions. The report also\nGeneral, and various               identifies key steps that the Corporation can take to strengthen its\ncongressional committees. In\naddition, the OMB instructs        information security program.\nagencies and cognizant\nInspectors General (IG) to\nanswer specific questions          Recommendations and Management Response\nrelated to the status of their\nsecurity program as part of the\nFISMA evaluation.                  The focus of this audit was on responding to OMB\xe2\x80\x99s questions to the IGs.\n                                   Accordingly, this report does not contain any recommendations. A written\nThe objective of this audit was    response was not required from the Corporation. However, the\nto answer specific security-       Corporation provided informal comments, which were considered and\nrelated questions addressed to     incorporated, as appropriate, into the report.\nagency IGs in the OMB\xe2\x80\x99s\nJuly 17, 2006 memorandum\nentitled, FY 2006 Reporting\nInstructions for the Federal\nInformation Security\nManagement Act and Agency\nPrivacy Management. We\ncontracted with KPMG LLP\n(KPMG) to perform this audit.\n\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp\n\x0c\x0c   Responses to Security-Related Questions in OMB\xe2\x80\x99s\nFiscal Year 2006 Reporting Instructions for FISMA and\n             Agency Privacy Management\n                (Report Number 06-019)\n\n\n                   Prepared for the\n         Federal Deposit Insurance Corporation\n              Office of Inspector General\n\n                   FINAL REPORT\n\n\n\n\n                           Prepared by:\n                            KPMG LLP\n                 Advisory Services, Federal Practice\n                        2001 M Street, NW\n                      Washington, DC 20036\n                           202-533-3000\n\x0c                      TABLE OF CONTENTS\n\nINTRODUCTION                                                    1\n\nBACKGROUND                                                      1\n\nRESULTS OF AUDIT                                                2\n\nCORPORATION COMMENTS                                            2\n\n\n\nAPPENDICES\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                   3\n\nAPPENDIX II: RESPONSES TO OMB QUESTIONS                         4\n\n\n\n\nACRONYMS\n\nC&A            Certification and Accreditation\nCIO            Chief Information Officer\nFDIC           Federal Deposit Insurance Corporation\nFIPS           Federal Information Processing Standards\nFISMA          Federal Information Security Management Act\nGAO            Government Accountability Office\nFY             Fiscal Year\nIG             Inspector General\nIT             Information Technology\nKPMG           KPMG LLP\nNIST           National Institute of Standards and Technology\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nPOA&M          Plan of Action and Milestones\nST&E           Security Test and Evaluation\n\x0cINTRODUCTION\n\nOn July 17, 2006, the Office of Management and Budget (OMB) issued a memorandum\nentitled, FY [Fiscal Year] 2006 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management. The OMB memorandum\ndirects agency Chief Information Officers (CIO) and Inspectors General (IG) to answer a\nseries of questions related to the performance of their respective agency\xe2\x80\x99s information\nsecurity program. The Federal Deposit Insurance Corporation (FDIC) Office of Inspector\nGeneral (OIG) contracted with KPMG LLP (KPMG) to conduct a performance audit for\nwhich the objective was to prepare responses to the OMB questions directed to the IGs.\n\nThe responses to the OMB questions are based on the results of work KPMG performed\nin support of the FDIC OIG\xe2\x80\x99s 2006 independent security evaluation1 required by the\nFederal Information Security Management Act (FISMA) of 2002. The work included\nassessing the information security policies, procedures, and practices for a representative\nsubset of the FDIC\xe2\x80\x99s information systems2 as required by FISMA. Such work also\nincluded an assessment of common security controls applicable to one or more FDIC\ninformation systems and consideration of relevant information-security-related audits. In\naddition, the FDIC OIG has contracted with KPMG for a separate report containing\ninformation related to the FDIC\xe2\x80\x99s privacy program.3 The information is also requested in\nOMB\xe2\x80\x99s reporting instructions.\n\nAppendix I describes our objective, scope, and methodology. Appendix II contains the\nresponses to each of the information-security-related questions in the format prescribed\nby the OMB Director.\n\n\nBACKGROUND\n\nTitle III of the E-Government Act of 2002, commonly referred to as FISMA, requires\nfederal agencies, including the FDIC, to develop, document, and implement an agency-\nwide information security program that provides security for the information and systems\nthat support the operations and assets of the agency, including those provided or managed\nby another agency, contractor, or other source. FISMA directs federal agencies to report\nannually to OMB, the Comptroller General, and various congressional committees on the\nadequacy and effectiveness of agency information security policies, procedures, and\npractices, including compliance with FISMA. In addition, OMB instructs each agency\n\n1\n    Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program-2006 (FDIC-OIG Report\n    No. 06-022), scheduled for issuance in September, 2006.\n2\n    We performed a detailed analysis of the FDIC\xe2\x80\x99s local area network/wide area network and mainframe\n    general support systems. We also performed a limited analysis of a contractor system (Central Data\n    Repository).\n3\n    Response to Privacy Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions\n    for FISMA and Agency Privacy Management (FDIC-OIG Report No. 06-018), dated September 22,\n    2006.\n\x0cand its IG to answer specific questions as part of the agency\xe2\x80\x99s overall FISMA evaluation.\nOMB uses the agency FISMA reports for various purposes, such as helping to evaluate\ngovernment-wide security performance, developing OMB\xe2\x80\x99s annual security report to the\nCongress, and assisting in improving and maintaining adequate agency security\nperformance.\n\n\nRESULTS OF AUDIT\n\nAs KPMG\xe2\x80\x99s responses to the OMB questions (see Appendix II) indicate, the FDIC has\nimplemented plans of action and milestones, an incident response capability, and security\nawareness and training that substantially address the criteria used by the OMB for\nassessing the status of those aspects of agency security programs. However, continued\nmanagement attention is needed in some security control areas\xe2\x80\x94such as information\nsystems inventory, oversight of contractor systems, certification and accreditation, and\nsecurity configuration management\xe2\x80\x94to promote compliance with FISMA and\nconsistency with National Institute of Standards and Technology (NIST) standards and\nguidelines. KPMG\xe2\x80\x99s work did not identify any significant deficiencies in the FDIC\xe2\x80\x99s\ninformation security program warranting consideration as a potential material weakness\nas defined by the OMB.4\n\nThe OMB questions focus on certain key components of the FDIC\xe2\x80\x99s information security\nprogram. The OIG\xe2\x80\x99s report, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security\nProgram-2006, provides an overall assessment of the FDIC\xe2\x80\x99s information security\nprogram, including detailed results of audit work in the areas covered by the OMB\nquestions. That report also identifies key steps that the Corporation can take to\nstrengthen its information security program. KPMG was also under contract with the\nOIG to support this overall evaluation.\n\n\nCORPORATION COMMENTS\n\nA written response was not required for the report. However, the Corporation provided\ninformal comments, which were considered and incorporated, as appropriate, into the\nreport.\n\n\n\n\n4\n    The OMB defines a significant deficiency as a weakness in an agency\xe2\x80\x99s overall information systems\n    security program or management control structure, or within one or more information systems that\n    significantly restricts the capability of the agency to carry out its mission or compromises the security of\n    its information, information systems, personnel, or other resources, operations, or assets. In this context,\n    the risk is great enough that the agency head and outside agencies must be notified, and immediate or\n    near-immediate corrective action must be taken. The OMB defines a material weakness as a deficiency\n    that the agency head determines to be significant enough to be reported outside the agency (i.e., included\n    in the annual management control report to the President and the Congress).\n\n\n\n                                                        2\n\x0c                                                                                      APPENDIX I\n\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the performance audit was to answer specific questions in OMB\xe2\x80\x99s\nJuly 17, 2006 memorandum (M-06-20) entitled, FY 2006 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management. To\naccomplish this objective, KPMG relied primarily on the results of the work it performed\nin support of the OIG\xe2\x80\x99s independent FISMA security evaluation.5 KPMG also performed\ncertain other audit procedures that we deemed necessary to accomplish the audit\nobjective. KPMG discussed each response to the OMB questions with the FDIC\xe2\x80\x99s\nDivision of Information Technology\xe2\x80\x99s Information Security Staff.\n\nKPMG did not separately perform procedures to review program performance measures,\nassess FDIC compliance with laws and regulations, evaluate the FDIC\xe2\x80\x99s management\ncontrols, or determine that computer-based data were valid and reliable. Such procedures\nwere performed in support of the OIG\xe2\x80\x99s independent security evaluation required by\nFISMA. Additionally, while KPMG did not design tests to detect fraud, waste, abuse,\nand mismanagement, throughout the audit, KPMG and the OIG were sensitive to the\npotential for fraud, waste, abuse, and mismanagement.\n\nKPMG performed the audit at the FDIC\xe2\x80\x99s Headquarters offices in Washington, D.C., and\nits Virginia Square facility in Arlington, Virginia. Also, KPMG visited the FDIC\xe2\x80\x99s\ndisaster recovery site in Richmond, Virginia. KPMG conducted the performance audit\nfrom April through August 2006 in accordance with generally accepted government\nauditing standards (GAGAS) issued by the Comptroller General of the United States.\n\n\n\n\n5\n    Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program-2006 (Report No. 06-022),\n    scheduled for issuance on September 28, 2006.\n\n\n\n                                                   3\n\x0c                                                                                                                                                                                            APPENDIX II\n\n\n\n                                                                          RESPONSES TO OMB QUESTIONS\n\n                                                                                                 Question 1 and 2\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each\nclassification below (a., b., and c.).\n\nTo meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n1) Continue to use NIST Special Publication 800-26, or,\n2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not\nmeet the requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA\ncompliance.\n2. For each part of this question, identify actual performance in FY 06 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated,\nidentify the number of systems which have completed the following: have a current certification and accreditation, a contingency plan tested within the past year, and security controls tested\nwithin the past year.\n\n                                                                           Question 1                                                                              Question 2\n\n                                                a.                            b.                            c.                         a.                            b.                            c.\n                                          Agency Systems              Contractor Systems             Total Number of           Number of systems          Number of systems for          Number of systems for\n                                                                                                        Systems                  certified and            which security controls       which contingency plans\n                                                                                                                                  accredited               have been tested and            have been tested in\n                                                                                                                                                         evaluated in the last year      accordance with policy\n                                                                                                                                                                                             and guidance\n\n\n                    FIPS 199 Risk        Total        Number          Total        Number          Total        Number          Total       Percent        Total          Percent of       Total         Percent of\nAgency Name         Impact Level        Number       Reviewed        Number       Reviewed        Number       Reviewed        Number       of Total      Number            Total         Number           Total\n\nFDIC               High                        0               0            0               0            0               0            0       N/A                  0         N/A                   0        N/A\n                                                                                                                                                                      a\n                   Moderate                  136               2            2               1          138               3            3      100.0%               2           66.7%                2          66.7%\n                   Low                        19               0            0               0           19               0            0       N/A                  0         N/A                   0        N/A\n                   Not\n                   Categorized                 2               1            7               0            9               1            0         0.0%               0           0.0%                0           0.0%\n\n\n                   Total                     157               3           9b               1          166               4            3       75.0%                2          50.0%                2          50.0%\n\n\n\n\na\n  Security controls for one of the three certified and accredited systems had not been tested and evaluated during the current reporting period (i.e., August 1, 2005 through\n  July 31, 2006). However, security control testing and evaluation was ongoing for this system at the time of the audit.\nb\n  KPMG was unable to independently verify the total number of contractor-maintained information systems because the FDIC\xe2\x80\x99s systems inventory did not fully incorporate these\n  systems. KPMG\xe2\x80\x99s response to Question 1 reflects those contractor-maintained information systems that KPMG identified during the audit, as well as any systems identified for\n  KPMG by the FDIC.\n\n\n\n\n                                                                                                         4\n\x0c                                                                                                                                                                                      APPENDIX II\n\n\n\n\n                                                                                                  Question 3\n\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n         The agency performs oversight and evaluation to ensure information systems used or operated by a\n         contractor of the agency or other organization on behalf of the agency meet the requirements of\n         FISMA, OMB policy and NIST guidelines, national security policy, and agency policy. Self-reporting\n         of NIST Special Publication 800-26 and/or NIST 800-53 requirements by a contractor or other\n         organization is not sufficient, however, self-reporting by another Federal agency may be sufficient.\n 3.a.                                                                                                            - Sometimes, for example, approximately 51-70% of the time\n         Response Categories:\n              - Rarely, for example, approximately 0-50% of the time\n              - Sometimes, for example, approximately 51-70% of the time\n              - Frequently, for example, approximately 71-80% of the time\n              - Mostly, for example, approximately 81-95% of the time\n              - Almost Always, for example, approximately 96-100% of the time\n\n\n         The agency has developed an inventory of major information systems (including major national\n         security systems) operated by or under the control of such agency, including an identification of the\n         interfaces between each such system and all other systems or networks, including those not operated\n         by or under the control of the agency.\n\n3.b.1.   Response Categories:                                                                                          - Approximately 51-70% complete\n              - Approximately 0-50% complete\n              - Approximately 51-70% complete\n              - Approximately 71-80% complete\n              - Approximately 81-95% complete\n              - Approximately 96-100% complete\n\n                                                                                                                 Missing Agency Systems: Pegasys\n                                                                                                                 We were unable to verify the number of system interfaces because the system inventory does\n                                                                                                                 not identify system interfaces between each system and all other systems or networks,\n                                                                                                                 including those not operated by or under the control of the FDIC.\n3.b.2.   If the Agency IG does not evaluate the Agency's inventory as 96-100% complete, please list the\n         systems that are missing from the inventory.                                                            After the audit, the FDIC's Information Security Section provided an inventory of 12 major\n                                                                                                                 information systems with interfaces. We did not have the opportunity to determine whether the\n                                                                                                                 inventory was comprehensive; based on, and consistent with, FDIC policy and procedures;\n                                                                                                                 conforms to NIST guidance; or agrees with the FDIC's Enterprise Architecture.\n                                                                                                                 Missing Contractor Systems: None\n\n 3.c.    The OIG generally agrees with the CIO on the number of agency owned systems.                                                                        Yes\n\n         The OIG generally agrees with the CIO on the number of information systems used or operated by a\n3.d.                                                                                                                                                         Yes\n         contractor of the agency or other organization on behalf of the agency.\n 3.e.    The agency inventory is maintained and updated at least annually.                                                                                   Yes\n 3.f.    The agency has completed system e-authentication risk assessments.                                                                                  Yes\n\n\n\n\n                                                                                                       5\n\x0c                                                                                                                                                                                         APPENDIX II\n\n\n\n\n                                                                                                      Question 4\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate\nthe degree to which the following statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area\nprovided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n                             The POA&M is an agency wide process, incorporating all known IT security weaknesses\n            4.a.             associated with information systems used or operated by the agency or by a contractor of the          - Mostly, for example, approximately 81-95% of the time\n                             agency or other organization on behalf of the agency.\n\n\n\n                             When an IT security weakness is identified, program officials (including CIOs, if they own or\n            4.b.                                                                                                                   - Mostly, for example, approximately 81-95% of the time\n                             operate a system) develop, implement, and manage POA&Ms for their system(s).\n\n\n\n                             Program officials, including contractors, report to the CIO on a regular basis (at least quarterly)\n            4.c.                                                                                                                   - Almost Always, for example, approximately 96-100% of the time\n                             on their remediation progress.\n\n\n\n            4.d.             CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.          - Almost Always, for example, approximately 96-100% of the time\n\n\n\n            4.e.             OIG findings are incorporated into the POA&M process.                                                 - Mostly, for example, approximately 81-95% of the time\n\n\n\n                             POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n            4.f.                                                                                                                   - Almost Always, for example, approximately 96-100% of the time\n                             weaknesses are addressed in a timely manner and receive appropriate resources\n\n\nComments: Although the FDIC has developed policy and guidelines for preparing and managing system-level POA&Ms, the FDIC needed to modify its POA&M procedures to ensure that system-level\nPOA&Ms either reflect consolidation of, or are accompanied by, other FDIC plans to correct all relevant information technology (IT) security weaknesses, including weaknesses identified in Government\nAccountability Office (GAO) and OIG reports and any other IT security review. Current certification and accreditation (C&A) guidelines provide that security test and evaluation (ST&E) weaknesses are included\nin system-level POA&Ms. In addition, the FDIC tracks system-level security weaknesses in a number of standalone spreadsheets and databases based on how the weakness is identified. For example,\nsystem-level security weaknesses identified by the GAO, OIG, or internal FDIC reviews are managed in the FDIC\xe2\x80\x99s Internal Risks Information System; and system-level security weaknesses identified by\nsystem tests and evaluations are managed in system-level POA&Ms. The Division of Information Technology can better integrate its management of security weaknesses by developing system-level POA&Ms\nthat include all relevant security weaknesses, either through consolidation or as a POA&M attachment.\n\n\n\n\n                                                                                                           6\n\x0c                                                                                                                                                                                          APPENDIX II\n\n\n\n\n                                                                                                    Question 5\n\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to\nexisting policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for\ncertification and accreditation work initiated after May, 2004. This includes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to\ndetermine an impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans.\n\n\n\n\n                             Assess the overall quality of the Department\xe2\x80\x99s certification and accreditation process.\n\n                             Response Categories:\n                                  - Excellent\n                                                                                                                                 - Satisfactory\n                                  - Good\n                                  - Satisfactory\n                                  - Poor\n                                  - Failing\n\n\n\n\nComments: The FDIC established a C&A program consisting of policies, procedures, and guidelines; key personnel, such as a Certification Agent and Authorizing Official; an independent ST&E process; and\nPOA&Ms for tracking and remediating security weaknesses. In February 2006, the OIG issued an audit report recognizing that the FDIC\xe2\x80\x99s C&A policies, procedures, and practices were satisfactory and\nconsistent with federal security standards and guidelines but that opportunities for enhancements in some areas could be made (Report No. 06-007, Audit of the FDIC\xe2\x80\x99s Security Certification and Accreditation\nProgram, dated February 2006). At the close of KPMG\xe2\x80\x99s audit, the FDIC was working to define information security risk management procedures for performing (a) continuous monitoring of its information\nsystems after accreditation and (b) contingency planning of its information systems.\n\nThe FDIC has fully certified and accredited all but one of its major applications and general support systems consistent with NIST security standards and guidelines. (The remaining major application is\noperating under an interim authority to operate.) In addition, the FDIC revised its information security risk management methodology in June 2006 to achieve cost-efficiencies in its C&A processes by\nconsolidating its non-major information systems that process sensitive data through an aggregation process. However, more work remains to complete C&As for the FDIC\xe2\x80\x99s non-major information systems that\nprocess sensitive data.\n\n\n\n\n                                                                                                         7\n\x0c                                                                                                                                                                                          APPENDIX II\n\n\n\n\n                                                                                                   Question 6\n\n                               Is there an agency wide security configuration policy?\n           6.a.                                                                                                                                                      Yes\n                               Yes or No.\n                               Comments: None\n\n                               Configuration guides are available for the products listed below. Identify which software is addressed in the agency-wide security configuration policy. Indicate whether or not any\n           6.b.\n                               agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on the systems running the software.\n                                                                                                                            Approximate the extent of implementation of the security configuration policy\n                                                                                                                            on the systems running the software.\n\n                                                                                                                            Response choices include:\n                                                                                                                            - Rarely, or, on approximately 0-50% of the\n                                                                                                                              systems running this software\n                                                                                                                            - Sometimes, or on approximately 51-70% of\n           Product\n                                                                                                                              the systems running this software\n                                                         Addressed in agencywide                                            - Frequently, or on approximately 71-80% of\n                                                                 policy?                 Do any agency systems run            the systems running this software\n                                                                                               this software?               - Mostly, or on approximately 81-95% of the\n                                                                                                                              systems running this software\n                                                                  Yes, No,                                                  - Almost Always, or on approximately 96-100% of the systems running this\n                                                                  or N/A.                          Yes or No.               software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the systems running this\n                  Windows XP Professional\n                                                                     Yes                               Yes                           software\n                  Windows NT                                         Yes                               Yes                        - Mostly, or on approximately 81-95% of the systems running this software\n                  Windows 2000 Professional                          N/A                               No\n                  Windows 2000 Server                                Yes                               Yes                        - Mostly, or on approximately 81-95% of the systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the systems running this\n                  Windows 2003 Server\n                                                                     Yes                               Yes                          software\n                  Solaris                                            Yes                               Yes                        - Mostly, or on approximately 81-95% of the systems running this software\n                  HP-UX                                              N/A                               No\n                  Linux                                              Yes                               Yes                        - Mostly, or on approximately 81-95% of the systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the systems running this\n                  Cisco Router IOS\n                                                                     Yes                               Yes                          software\n                  Oracle                                             Yes                               Yes                        - Mostly, or on approximately 81-95% of the systems running this software\n                Other.                                             N/A                               No\nComments: The results in the far right-hand column are derived from KPMG\xe2\x80\x99s analysis of the results from the FDIC\xe2\x80\x99s July 2006 Foundstone vulnerability scan and the June 2006 Cisco Router Auditing Tool\ndata. Specifically, KPMG determined the extent to which the products KPMG sampled were consistent with the FDIC\xe2\x80\x99s configuration requirements and best practices.\n\n\n\n\n                                                                                                        8\n\x0c                                                                                                                                                                                       APPENDIX II\n\n\n\n\n                                                                                                   Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n\n                                                      The agency follows documented policies and procedures for\n                       7.a.                           identifying and reporting incidents internally.                                                                  Yes\n                                                      Yes or No.\n\n                                                      The agency follows documented policies and procedures for external\n                       7.b.                           reporting to law enforcement authorities.                                                                        Yes\n                                                      Yes or No.\n                                                      The agency follows defined procedures for reporting to the United\n                                                      States Computer Emergency Readiness Team (US-CERT).\n                       7.c.                                                                                                                                            Yes\n                                                      http://www.us-cert.gov\n                                                      Yes or No.\nComments: None\n\n                                                                                                   Question 8\n                                                      Has the agency ensured security training and awareness of all\n                                                      employees, including contractors and those employees with\n                                                      significant IT security responsibilities?\n\n                                                      Response Choices include:\n                                                      - Rarely, or, approximately 0-50% of employees have sufficient\n                                                      training\n                                                       - Sometimes, or approximately 51-70% of employees have\n                        8                                                                                                       - Almost Always, or approximately 96-100% of employees have sufficient training\n                                                      sufficient training\n                                                       - Frequently, or approximately 71-80% of employees have sufficient\n                                                      training\n                                                       - Mostly, or approximately 81-95% of employees have sufficient\n                                                      training\n                                                       - Almost Always, or approximately 96-100% of employees have\n                                                      sufficient training\n\n\n                                                                                                   Question 9\n\n                                                      Does the agency explain policies regarding peer-to-peer file sharing\n                                                      in IT security awareness training, ethics training, or any other agency\n                        9                                                                                                                                              Yes\n                                                      wide training?\n                                                      Yes or No.\n\n\n\n\n                                                                                                        9\n\x0c"